Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

stats average function suddenly blank

jericksonpf
Path Finder
‎01-02-2013 10:55 AM

Hi,
I have been running a stats query for months on a very basic search to great success. I recently had to change how the field extractions that I pull from the logs look. To do this I used the manager and deleted the old extraction and created a new one with the exact same name. Since then
all the other stats functions work fine, but average comes up blank. Average works fine for other event types and searches. I have tried restarting the box and clearing my browser cache. Did i irrevocably destroy averages for this sourcetype?

This is the search i use
sourcetype="Example" | stats min(example_time), max(example_time), count(example_method), avg(example_time) by example_method

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-02-2013 12:58 PM

Using Verbose mode in Splunk 5.0, or with Field Discovery ON in earlier versions, do you see the fields example_time and example_method in the gray fields box? What is the letter next to the name of the fields - "a" or "#"? If it is an "a", then Splunk thinks the field is alphanumeric. You might check the values, perhaps your new extraction is picking up non-numeric characters.

Other ideas:

Are you sure the name is exactly the same? Field names are case sensitive.

Also, are the permissions on the new field extractions the same as the old field extractions?

Are the new field extractions in the same app as the old field extractions?

Apologies if you have checked these things already...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-02-2013 12:58 PM

Using Verbose mode in Splunk 5.0, or with Field Discovery ON in earlier versions, do you see the fields example_time and example_method in the gray fields box? What is the letter next to the name of the fields - "a" or "#"? If it is an "a", then Splunk thinks the field is alphanumeric. You might check the values, perhaps your new extraction is picking up non-numeric characters.

Other ideas:

Are you sure the name is exactly the same? Field names are case sensitive.

Also, are the permissions on the new field extractions the same as the old field extractions?

Are the new field extractions in the same app as the old field extractions?

Apologies if you have checked these things already...

0 Karma
Reply
Solved! Jump to solution

jericksonpf
Path Finder
‎01-02-2013 02:02 PM

i just re created the example_time field and realized that it was grabbing the ms at the end of the values that are included in the logs now it is working again.

Thanks for your help

0 Karma
Reply
Solved! Jump to solution

jericksonpf
Path Finder
‎01-02-2013 01:57 PM

There is a # next to the name of the fields. The permissions and names are all the same.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...